Demisto_Logo
  • Platform
    • Overview
    • Security Orchestration
    • Incident Management
    • Interactive Investigation
    • Machine Learning
    • Architecture
    • Indicator Repository
  • Solutions
    • Accelerate Incident Response
    • Standardize Incident Response
    • Threat Hunting
    • Cloud Security
    • SOC Metrics
    • MSSP
  • Community
  • Resources
    • Content Library
    • Blog
  • Integrations
  • Company
    • About Us
    • News
    • Join Us
    • Media Kit
    • Contact
  • Free community edition
Free Community Edition
June 28, 2018

Security Orchestration

Threat Intelligence

Product Integrations

RiskIQ PassiveTotal

Partner Integrations

Demisto

Orchestrate Digital Threat Intelligence: RiskIQ PassiveTotal and Demisto

RiskIQ Solution Brief Feature 1

Subscribe to Email Updates

envelope-icon.png
subscribe to email updates
  • All
  • Must-Read Articles
  • Product Features
  • Use-Cases
  • News and Events
  • Partner Integrations
  • Tweet

In today’s rapidly changing digital landscape, a major challenge faced by security teams is the difficulty in reconciling internal IOC and event data with external threat actor behavior and assets. With many attacks originating from outside the firewall, analysts spend inordinate amounts of time combing through multiple data sources to gain additional context into attacks. Users need a platform that unifies intelligence across data sources to accelerate incident response.

Users can now leverage the multi-source threat intelligence capabilities of RiskIQ PassiveTotal with the security orchestration and automation features of Demisto Enterprise for repeatable and scalable incident response that coordinates across different security measures.

Integration Features

  • Automate enrichment of alerts as playbook tasks: passive DNS information, SSL certificate data, WHOIS data, IOC intelligence, and so on.
  • Run search and query operations on WHOIS, SSL, and OSINT data based on keywords and metadata.
  • Leverage hundreds of Demisto product integrations to further enrich RiskIQ data and coordinate response across security functions.
  • Run thousands of commands (including for RiskIQ) interactively via a ChatOps interface while collaborating with other analysts and Demisto’s chatbot.

RiskIQ PassiveTotal Graphic 1

USE CASE #1

Automated phishing enrichment and response

Challenge

There is often a mismatch between the high-volume nature of phishing attacks and analyst agility in responding to them. Phishing attack identification, triage, reputation checks, and response involves switching between multiple screens, mundane and repeatable tasks, and tunnel vision that precludes knowledge of larger attack campaigns that encompass a phish mechanism.

Solution

Security teams can use the RiskIQ integration to automate multi-source enrichment of and response to phishing attacks via playbooks. Once alerts have been ingested into Demisto, playbooks can query RiskIQ’s platform to get data from WHOIS, SSL certificates, passive DNS, host pairs, and internal IOCs, among others.

Playbooks can also orchestrate across other security products to execute actions such as sending users an email, opening a ticket, quarantining an endpoint, and detonating a file hash in a sandbox. Security teams can also choose to have bottlenecks before important tasks that give them manual oversight to verify preceding information and guide playbook progression.  

RiskIQ Playbook

Benefit

Enrichment and response playbooks automate a host of actions across products so that analysts have a wealth of information at their fingertips while starting incident investigation. Automating RiskIQ lookups can save screen switching time and execute repeatable tasks. Orchestrating actions across products in one window can help analysts coordinate across security functions for richer and deeper incident context.

 

To learn more about our integration, download the joint solution brief

Get solution brief 

 

USE CASE #2

Interactive, real-time investigation for complex threats

Challenge

While standardized, repeatable playbooks can automate commonly performed tasks to ease analyst load, an attack investigation usually requires additional tasks such as pivoting from one suspicious indicator to another to gather critical evidence, drawing relations between incidents, and finalizing resolution. Running these commands traps analysts in a screen-switching cycle during investigation and a documentation-chasing cycle after investigations end. 

Solution

After running enrichment playbooks, analysts can then gain greater visibility and new actionable information about the attack by running RiskIQ commands in the Demisto War Room. For example, if playbook results throw up alert details, analysts can get host pairs, subdomains, and DNS data tied to that alert in real-time by running the respective RiskIQ command. Analysts can also run commands from other security tools in real-time using the War Room, ensuring a single-console view for end-to-end investigation.

The War Room will document all analyst actions and suggest the most effective analysts and command-sets with time. 

RiskIQ War Room

Benefit

The War Room allows analysts to quickly pivot and run unique commands relevant to incidents in their network from a single window. All participating analysts will have full task-level visibility of the process and be able to run and document commands from the same window. They will also prevent the need for collating information from multiple sources for documentation.


We hope you found this integration overview helpful. To explore Demisto in greater detail, you can access the Free Community Edition below.

Free community edition

Stay tuned for more product integration walkthroughs in the coming weeks.

Share:

What Should I Read Next:

December 3, 2019 10:50:16 PM

Demisto and Amazon Detective: Automated Cloud Threat Investigation and Response

SHARE

December 3, 2019 09:00:00 PM

Demisto and AWS: Identity and Access Management (IAM) Access Analyzer

SHARE

November 27, 2019 04:00:00 PM

SOAR Report 2019 Deep-Dive: Response and Enforcement

SHARE
Careers
foot-logo.png
get in touch

Copyright © 2019   |   DEMISTO - A PALO ALTO NETWORKS COMPANY   |   PRIVACY STATEMENT